[Freeipa-users] ipa-getkeytab and mandatory password change

Dmitri Pal dpal at redhat.com
Tue Jun 19 18:45:06 UTC 2012 

On 06/19/2012 02:12 PM, Stephen Ingram wrote:
> On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce <simo at redhat.com> wrote:
>> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote:
>>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal <dpal at redhat.com> wrote:
>>>> On 06/18/2012 11:58 AM, Darran Lofthouse wrote:
>>>>> Just experienced some weird behaviour on my Fedora 17 installation,
>>>>> just wanted to check if this was expected.
>>>>>
>>>>> I have the default config that requires a user to change their
>>>>> password the first time they run kinit.
>>>>>
>>>>> However I created a user and immediately used ipa-getkeytab as this
>>>>> user will be a non-interactive process, despite the ipa-getkeytab
>>>>> resetting the secret for the user the first attempt at authentication
>>>>> failed as the user was still told to change their password.
>>>>>
>>>>
>>>> I do not think we have anticipated this use. The ipa-getkeytab is
>>>> designed for the host and services keytabs not for users. I suggest that
>>>> use a service principal rather than a user principal to run those jobs.
>>>> You can also file an RFE to allow keytabs for users if you think that
>>>> services would not work for you.
>>>>
>>>>> My expectation would have been that any update to the secret should
>>>>> meet the requirement for the user to change their password.
>>> Darren-
>>>
>>> I'm not sure if you went further with this, but if you do change the
>>> password through other means, you then will be able to get a copy of
>>> the keytab for the user with ipa-getkeytab. I tried it out because the
>>> thought of not being able to get a keytab for a user was concerning. I
>>> agree that the service keytabs make more sense for these instances (I
>>> was also told this by Simo in another thread), but I keep being told
>>> by the application people that I need to use a user principal, which,
>>> thankfully works.
>> Ask them why, I am curious about the requirement.
> I'm still waiting for responses. The only thing I've been told thus
> far is that since there are multiple processes authenticating to their
> respective servers, it might be difficult to direct each to the proper
> credential cache. If you use one user to auth to each server process
> then there is only one credential cache.
>
> Steve
This seems like an orthogonal problem. It does not matter if it is a
service principal(s) or user principal(s). As long as a group of
processes that are using the same principal are configured to use the
same cache you should be OK.  

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list